The ICO exists to empower you through information.

  • ICO offers advice to the UK’s five and a half million SMEs
  • UK regulator says getting good data practices in place from the start will save business owners time and money, and boost customer confidence

Ahead of Data Protection Day, the Information Commissioner’s Office (ICO) is encouraging the UK’s 5,501,000* small-and-medium-sized businesses (SMEs) to check they have the right data protection practices in place to help sustain and develop their businesses.

Good data protection practices project positively on a company’s reputation. A recent survey, commissioned by the ICO, showed 91% of people worried about having their personal information sold to other companies without their consent, and 87% worried about a company losing their personal information.

Data protection law sets out what businesses should do to make sure they are looking after people’s personal information properly and fairly. In addition to the legal requirement, good data protection makes economic sense. It saves business owners time and money, and shows customers their information is being treated correctly. The ICO has a suite of free resources providing advice and guidance on its dedicated SME hub.

Paul Arnold, Chief Operating Officer, ICO, said:

“As we head into a new year, and a tough year for many small businesses, we want to help business owners work confidently and responsibly with the personal information they hold. It can be an incredibly valuable asset when held and processed responsibly and can enable hard-working business owners to develop their business, whilst instilling a real sense of confidence in their customers.

“Generally speaking, data protection law applies to all workplaces, business ventures, enterprises, societies, groups and clubs. That includes sole traders, the self-employed and company owners and directors. We live in a data-driven world and if used in the right way, data can really help a business achieve greater success.

“Data protection compliance is not a barrier to business success and the ICO is here to help. For example, we want to empower businesses and organisations to ensure their email marketing databases are working as hard as possible to reach the right customers, lawfully, every time.”


Getting started in data protection – the ICO’s top tips for beginners in business:

  1. Make a list – Start off by making a list of what personal information you have or plan to collect. You need to be able to account for all of it.
  2. Ask why – There’s a balance to be made between what you want to do with people’s personal information, the benefits that brings to them and any harm that might be caused as a result. If you’re holding or using people’s personal information, it must always be fair as well as lawful.
  3. Think security - Check your security measures line up with the sensitivity of the information you hold. Put stronger security measures in place if the data poses a higher risk or is sensitive
  4. Be transparent - It’s essential to explain to people: why you hold information about them; what you'll do with it; and how long you'll keep it before safely disposing of it. This should also be recorded in a privacy notice.
  5. Know about subject access requests - People have the legal right to know what personal information you hold about them. Use our step-by-step guide on how to deal with a subject access request.
  6. Have a data breach action plan in place - If you lose personal information and it is likely to result in a risk to the people affected, you’ll need to report to us. Check out our guide on how to respond to a personal information breach so you know what steps to take in an emergency.
  7. Check in with us regularly - The ICO website is updated regularly to help you take simple steps towards improving your data compliance.

The ICO’s advice for businesses comes as the regulator completes a pilot programme with up to 60 SMEs from across the UK, in which they have been trialling a new training and development programme. Named SME Data Essentials, it is aimed at empowering organisations to become better equipped to manage their own data compliance.

The pilot forms part of ICO25, the ICO’s new three-year strategic plan which details how the ICO will bring down the cost of compliance whilst enabling and supporting SMEs to invest, innovate and grow.

The ICO has a dedicated SME hub for sole traders, SMEs, charities, clubs and organisations who have queries about data protection, electronic marketing and freedom of information.

Notes for editors

  1. The Information Commissioner’s Office (ICO) is the UK’s independent regulator for data protection and information rights law, upholding information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
  2. The ICO has specific responsibilities set out in the Data Protection Act 2018 (DPA2018), the United Kingdom General Data Protection Regulation (UK GDPR), the Freedom of Information Act 2000 (FOIA), Environmental Information Regulations 2004 (EIR), Privacy and Electronic Communications Regulations 2003 (PECR) and a further five acts and regulations. 
  3. The ICO can take action to address and change the behaviour of organisations and individuals that collect, use and keep personal information. This includes criminal prosecution, non-criminal enforcement and audits. 
  4. Data Protection Day is an annual event held on 28 January, with the aim of creating awareness about the importance of respecting privacy, safeguarding data and enabling trust.
  5. To report a concern to the ICO telephone our helpline 0303 123 1113 or go to  ico.org.uk/concerns.